The PostgreSQL Global Development Group has released updated versions
for PostgreSQL 8.2 and all back versions to patch a privilege escalation
exploit in SECURITY DEFINER functions. All users of this feature are
urged to update to the latest minor version and follow instructions on
securing these functions as soon as possible. This minor release also
contains other fixes, so all users should plan to deploy it.
Once you have updated, additional steps are required to secure your
database against the exploit. Please read the release notes at
http://www.postgresql.org/docs/8.2/static/release.html and the TechDocs
article at http://www.postgresql.org/docs/techdocs.77 on how to
lock down your security definer functions, if you use them.
Downloads are in the usual places, http://www.postgresql.org/download.
As always, application of a minor release does not require a dump and
reload of the database.
The frequency of security fixes recently is a result of increased
scrutiny of the PostgreSQL code by government agencies and
security-conscious companies. Rapid turnaround on security patches is
key to keeping PostgreSQL the most secure SQL database. Your work and
vigilance in applying the latest security updates ensures that there
will never be a PostgreSQL "worm".
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +